堆栈内存溢出
  简体   繁体   English

具有Windows身份验证的DNS身份类型是什么意思?

[英]What does it mean to have a DNS identity type with Windows Authentication?

 原文  2012-01-27 00:00:50       .net/ wcf/ wcf-security

问题描述

What does it mean, on a high level, to specify a DNS identity when using Windows Authentication for a WCF service? 在WCF服务中使用Windows身份验证时,从总体上讲,指定DNS身份是什么意思? For example: 例如: 

<configuration>
<system.serviceModel>
  <bindings>
    <wsHttpBinding>
      <binding name="WSHttpBinding_ICalculator_Windows">
        <security>
          <message clientCredentialType="Windows"/>
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
  <client>
    <endpoint address="http://localhost:8003/servicemodelsamples/service/dnsidentity"
      binding="wsHttpBinding"
      bindingConfiguration="WSHttpBinding_ICalculator_Windows"
      contract="ICalculator"
      name="WSHttpBinding_ICalculator">
      <identity>
        <dns value="contoso.com" />
      </identity>
    </endpoint>
  </client>
</system.serviceModel>
</configuration>

This page says: 该页面显示

In this case, when the client receives the Windows (Kerberos) credentials for the service, it expects the value to be contoso.com. 在这种情况下,当客户端收到该服务的Windows(Kerberos)凭据时,它期望该值是contoso.com。

I don't really understand this. 我不太明白。 How can the value of credentials for the service be contoso.com? 服务凭证的价值如何为contoso.com? What does it mean by credentials? 凭证是什么意思?

Does it also verify that the actual DNS name of the service is indeed contoso.com? 它还是否验证服务的实际DNS名称确实为contoso.com? Otherwise, what would prevent someone from writing a rogue WCF service that says its identity is contoso.com? 否则,什么会阻止某人编写表明其身份为contoso.com的流氓WCF服务?

2 个解决方案

解决方案1
 1 已采纳  2012-01-27 00:41:36

If I am not mistaken, the contoso.com is used to resolve the SPN for Kerberos. 如果我没记错的话,可以使用contoso.com来解析Kerberos的SPN。 The SPN looked up would be http/contoso.com:8003. 查找的SPN为http / contoso.com:8003。 This SPN would be mapped in Active Directory to a service account. 该SPN将在Active Directory中映射到服务帐户。 The Kerberos ticket will be encrypted using the service account's credentials. Kerberos票证将使用服务帐户的凭据进行加密。

解决方案2
 0  2012-06-05 21:49:28

I realize this is an old question, but I have found that in a self-hosted service with tcp bindings with windows transport, the client doesn't seem to respect SpnIdentity settings, only DnsIdentity settings. 我意识到这是一个古老的问题,但是我发现在具有Windows传输的tcp绑定的自托管服务中,客户端似乎并不尊重SpnIdentity设置,而仅尊重DnsIdentity设置。 Check here: wcf server authentication without certificates for more info and/or comments. 检查此处: 不带证书的wcf服务器身份验证以获取更多信息和/或注释。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 “类型”在物理上意味着什么? - What does “Type” mean, physically? 在内存条件下使用文字意味着什么? - What does it mean to have a literal in an condition for memory? Windows 桌面 (5) 在 .net 5 上下文中是什么意思? - What does Windows Desktop (5) mean in context of .net 5? 以下是该类型各部分的含义 - what does the following mean in each part of the type 什么是布尔? 返回类型意味着什 - What does the bool? return type mean? 什么是ICollection的返回类型 <Person> 意思? - What does return type of ICollection<Person> mean? 类型名称是“ _Closure $ __ 1”是什么意思? - What does it mean when a Type name is “_Closure$__1”? 这个类型名称中的#(散列)是什么意思? - What does the # (hash) mean in this type name? Windows Identity Foundation活动身份验证 - Windows Identity Foundation Active Authentication 在我的方法中包含一个块是什么意思? - What does it mean to have a block inside my method?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM